> > Are you sure? I have net.inet.tcp.signature_verify_input = 1 and only
> > one line in /etc/ipsec.conf for each BGP session using MD5 keys, on
> > 8.2-STABLE.
>
> Hmm, you are right, it seems that my second SAD entries are not used at all.
> However I'm now running with net.inet.tcp.signature_verify_input = 0, because 
> if I set it to 1
> the BGP sessions to my other FreeBSD routers disconnect. (and that is running 
> Quagga).
> Am I the only one who sees this running Quagga? One difference probably is 
> that I have both TCP-MD5 protected
> sessions and ones that are not. And the not protected sessions fail if I 
> start checking ingress tcp signatures.

Have a look at

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=452717+0+current/freebsd-net

This is a nice summary of the different possibilities. And indicates,
if I read it roght, that there *is* indeed a problem.

My case is Quagga bgpd talking to several JunOS routers, only a single
TCP session (with MD5) to each router. This works just fine.

I have never attempted BGP with MD5 between two FreeBSD boxes.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to